Re: [squid-users] 3.3.1 ssl-bump-server-first for google domain lockdown

From: Robert Mason <rmason_at_rodeofx.com>
Date: Mon, 1 Apr 2013 23:56:33 -0400

Hi Alex,

I think I have finally got it.

Just read another post here:
http://www.squid-cache.org/mail-archive/squid-users/200910/0629.html

and while I didn't want to just copy certs from my laptop to the
firewall, it's an embedded device with a hard drive just for squid so
it didn't seem to have any certs in /etc/ssl. As soon as I copied my
certs folder over, magic started to happen.

This service is not available

Gmail is not available for user_at_gmail.com within this network. Gmail
is only available for accounts in the following domains:

mydomain.com

Please talk to your network administrator for more information.

Did you use this product with a different Google Account? Sign out of
your current Google Account and then sign in to the account you want.

Huzzah!

If you have any suggestions about how to properly update that certdir
instead of just copying it over I'd gladly give it a try.

Thanks once again!

On Mon, Apr 1, 2013 at 11:40 PM, Robert Mason <rmason_at_rodeofx.com> wrote:
> Hi Alex,
>
> Thanks for all your help so far!
>
> After further investigation I did find that my squid was indeed not
> bumping and spent the weekend rebuilding my setup. What I found was
> that I was misinterpreting some of the cache directives, most
> importantly https_port. Basically at some point I ended up with
> things configured wrong such that I was sending https requests to the
> proxy at which point the error message (and google) led me to previous
> reply of yours to a mailing list post:
>
> http://www.squid-cache.org/mail-archive/squid-users/201002/0586.html
>
> which set me on the right path. At least I think it did...
>
> I can't use intercept and actually don't want a transparent proxy
> since I will require users to authenticate in order to provide
> different levels of access based on ldap auth. Fun stuff right?
>
> So I did finally get my config to generate certs using the following:
>
> http_port 192.168.199.254:3128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB
> cert=/usr/local/etc/squid/ssl_cert/myCA.pem
>
> ssl_bump server-first all
>
> And I do now see entries in my ssl_crt folder on the server but when I
> attempt to reach an https site I get this in the browser:
>
> The following error was encountered while trying to retrieve the URL:
> https://accounts.google.com/*
>
> Failed to establish a secure connection to 74.125.133.84
>
> The system returned:
>
> (92) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
>
> SSL Certficate error: certificate issuer (CA) not known:
> /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
>
> This proxy and the remote host failed to negotiate a mutually
> acceptable security settings for handling your request. It is possible
> that the remote host does not support secure connections, or the proxy
> is not satisfied with the host security credentials.
>
> Then in cache.log:
>
> 2013/04/01 23:26:11 kid1| fwdNegotiateSSL: Error negotiating SSL
> connection on FD 19: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> (1/-1/0)
>
> But I have imported the certificate in firefox...
>
> Am I missing an all again somewhere ;)
>
> Thanks once again,
> Rob
>
> On Thu, Mar 28, 2013 at 6:43 PM, Alex Rousskov
> <rousskov_at_measurement-factory.com> wrote:
>> On 03/28/2013 04:11 PM, Robert Mason wrote:
>>
>>> I am seeing GET, POST and CONNECT requests to google in access.log.
>>
>> Just to make sure we are on the same page, are all of the items below true?
>>
>> 1. You see a CONNECT request to google.com in access.log.
>>
>> 2. You see a non-CONNECT request to google.com from the same
>> client-Squid connection as CONNECT request in #1 but logged after #1.
>>
>> 3. You see an origin server certificate _signed_ by Google when looking
>> at responses for request in #2.
>>
>> You can use browser tools like FireBug or %>p logformat code to make
>> sure that records in #1 and #2 belong to the same client-Squid connection.
>>
>> If you see #1 but not #2, then your Squid is not bumping. If you also
>> see errors or warnings in cache.log, they may explain why.
>>
>> If you see #1, #2, and #3, then check again because that combination is
>> not possible.
>>
>>
>> Thank you,
>>
>> Alex.
>>
>>
>>> On Wed, Mar 27, 2013 at 1:27 AM, Alex Rousskov
>>> <rousskov_at_measurement-factory.com> wrote:
>>>> On 03/24/2013 01:39 AM, Robert Mason wrote:
>>>>> Hi Alex! Thanks for the reply.
>>>>>
>>>>> It seems to see the CONNECT yes.. but still no joy.
>>>>>
>>>>> 192.168.99.100 TCP_MISS/200 114940 CONNECT mail.google.com:443
>>>>
>>>> Good. This means that Squid intercepts HTTPS traffic from the browser.
>>>> The next step is to figure out whether Squid bumps those intercepted
>>>> connections. Are there non-CONNECT requests for mail.google.com:443 in
>>>> access.log?
>>>>
>>>>
>>>>> ssl_bump server-first
>>>>
>>>> Your ssl_bump directive is missing an ACL. Try adding "all":
>>>>
>>>> ssl_bump server-first all
>>>>
>>>>
>>>> HTH,
>>>>
>>>> Alex.
>>>>
>>>>
>>>>> On Fri, Mar 22, 2013 at 12:19 AM, Alex Rousskov wrote:
>>>>>> On 03/21/2013 04:21 PM, Robert Mason wrote:
>>>>>>> Hi all,
>>>>>>>
>>>>>>> I've been trying to setup a system to do ssl interception and dynamic
>>>>>>> certificate generation in order to prevent our users from signing in
>>>>>>> to their personal gmail accounts (our company mail is through gmail).
>>>>>>>
>>>>>>> >From the info here
>>>>>>> http://support.google.com/a/bin/answer.py?hl=en&answer=1668854 I found
>>>>>>> that I needed to add a header in the request and have that working:
>>>>>>>
>>>>>>> request_header_add X-GoogApps-Allowed-Domains rodeofx.com all
>>>>>>>
>>>>>>> adds it to every http request which I'm fine with but I need to add it
>>>>>>> to https requests and that's not happening.
>>>>>>>
>>>>>>> I have tried things like:
>>>>>>>
>>>>>>> http_port 192.168.168.253:3128 ssl-bump generate-host-certificates=on
>>>>>>> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myCA.pem
>>>>>>>
>>>>>>> always_direct allow all
>>>>>>> ssl_bump allow all
>>>>>>> # the following two options are unsafe and not always necessary:
>>>>>>> #sslproxy_cert_error allow all
>>>>>>> #sslproxy_flags DONT_VERIFY_PEER
>>>>>>>
>>>>>>> sslcrtd_program /etc/squid/libexec/squid/ssl_crtd -s
>>>>>>> /etc/squid/var/lib/ssl_db -M 4MB
>>>>>>> sslcrtd_children 5
>>>>>>>
>>>>>>> No love though.. I still get the regular google cert and don't see
>>>>>>> certs in my ssl_db folder.
>>>>>>>
>>>>>>> If anyone has suggestions to offer I'd really appreciate it.
>>>>>>
>>>>>> Does Squid get CONNECT requests for Google domains? Check access.log.
>>>>>>
>>>>>> If it does, are there any errors or warnings in cache.log?
>>>>>>
>>>>>> Alex.
>>>>>>
>>>>
>>
Received on Tue Apr 02 2013 - 03:56:41 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 02 2013 - 12:00:04 MDT